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Abstract. The study of finite projective planes involves planar func- 
tions, namely, functions f:¥ g — 5- ¥ q such that, for each a £ ¥*, the 
function c h-> f(c + a) — /(c) is a bijection on ¥ q . Planar functions are 
also used in the construction of DES-like cryptosystems, where they are 
called perfect nonlinear functions. We determine all planar functions on 
¥ q of the form c h> c', under the assumption that q > (t — l) 4 . This 
implies two recent conjectures of Hernando, McGuire and Monserrat. 
Our arguments also yield a new proof of a conjecture of Segre and Bar- 
tocci from 1971 concerning monomial hyperovals in finite Desarguesian 
projective planes. 



1. Introduction 

Let q = p r where p is prime and r is a positive integer. A planar function 
is a function /: ¥ q — > ¥ q such that, for every a E F*, the function c h- >■ 
f(c+a) — /(c) is a bijection on ¥ q . Planar functions can be used to construct 
finite projective planes, and they have been studied by finite geometers since 
1968 [6j. They arose more recently in the cryptography literature where they 
are called perfect nonlinear functions |20j , the idea being that these functions 
are optimally resistant to linear and differential cryptanalysis when used in 
DES-like cryptosystems. Many authors have investigated the planarity of 
monomial functions f(x) = x* with t > 0. Since x t is planar on ¥ q if and 
only if x t+q is planar, and likewise if and only if x tp is planar, the study 
of planar monomials reduces at once to the case that t < q and p\t. 

The only known examples of planar monomials x l over ¥ p r with p\t and 
t < p r are 

(1.1) t = p l + lif0<i<r and P gc ^ ir ^ is odd; and 

(1.2) t = if p = 3 and 2 < i < r and gcd(i, 2r) = 1. 

A folk conjecture in the subject asserts that there are no further examples. 
This is known to be true for r = 1 |13j and r = 2 [4], and also for r = 4 if 
P > 3 [5]- However, as noted in [3], the methods used in these papers will 
likely not extend to much larger values of r. In this paper we prove this 
conjecture for all large r: 
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Theorem 1.4. If x* is a planar function on ¥ p r } where p r > (t — l) 4 and 
p\t, then either (1.1) or (1.2) holds. 

Note that each of the known planar monomials over ¥ q has the property 
that it is also planar over F k for infinitely many integers k. One consequence 
of our result is that no other planar monomials have this property: 

Corollary 1.5. For any prime p and any positive integer t, the function 
c I—?- c is a planar function on ¥ k for infinitely many k if and only if either 

• t = p 1 + p? where p is odd and i > j > 0; or 

• t = 21+3^. where p = 3 and i > j > with i ^ j (mod 2) . 

This corollary resolves two conjectures of Hernando, McGuire and Mon- 
serrat [121 Conjectures PN2 and PN3]. It is the first known characterization 
of the known planar monomials among all planar monomials. 

Theorem 11.41 (in a slightly weaker form) was proved in the case t = 1 
(mod p) by Leducq [15]. Thus, the bulk of our effort addresses the case 
t ^ 1 (mod p). In this case, Theorem 11.41 (again in a slightly weaker form) 
was proved in [12] if t and p satisfy any of eight different conditions. We show 
that none of these extra conditions are needed. Our approach is quite differ- 
ent from that of [15] and [12] . Whereas those papers rely on dozens of pages 
of computations involving the singularities of an associated (possibly singu- 
lar and reducible) plane curve, we focus on the functional decomposition of 
a certain univariate polynomial. In particular, our most novel contribution 
is a method for testing whether a polynomial can be written as a function 
of a Dickson polynomial. 

After reviewing some background material in the next section, we prove 
Theorem 11.41 and Corollary 11.51 in Sections 3 and 4, respectively. Then in 
Section 5 we show that our techniques yield a simple proof of the Segre- 
Bartocci conjecture about hyperovals in Desarguesian projective planes. 

2. Background results 

In this section we present the known results about exceptional polynomi- 
als, Dickson polynomials, and functional decomposition which will be used 
in our proofs. We begin with some definitions. 

Definition 2.1. A polynomial F(x) £ ¥ q [x] is linear if it has degree one. 

Remark. What we call linear polynomials are sometimes called affine poly- 
nomials. 

Definition 2.2. A polynomial F(x) € ¥ q [x] of degree at least 2 is indecompos- 
able if there do not exist nonlinear G, H £ V q [x] such that F(x) = G(H(x)). 

Definition 2.3. A polynomial F(x) € F 9 [x] is exceptional if there are infin- 
itely many k for which the function c i— > F(c) is a bijection on ¥ q k. 
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Plainly every polynomial in F g [z] of degree at least 2 can be written 
as the composition of indecomposable polynomials in F g [x]. Moreover, for 
G,H E Fqfx], if G(H(x)) is exceptional then both G and H are exceptional 
(in fact the converse holds as well [22], but it will not be used in this pa- 
per). Thus, every nonlinear exceptional polynomial is the composition of 
indecomposable exceptional polynomials. Much difficult mathematics has 
been used in the study of indecomposable exceptional polynomials (see e.g. 
[9J [TO] 122]). and much remains to be done. However, we will not need any 
deep results about exceptional polynomials. Instead we will only rely on the 
following two known results. 

Proposition 2.4. If F(x) E F 9 [x] has degree at most q 1 ^, and the function 
c h- > F(c) induces a bisection on ¥ q , then F is exceptional. 

Proposition 2.5. // F(x) E F^[x] is an indecomposable exceptional poly- 
nomial of degree coprime to q, then there are linear fi, u E F g [x] such that 
fj, o F o v is one of the following polynomials: 

• x m for some prime m which is coprime to q — \, or 

• D n (x,a) for some a E F* and some prime n which is coprime to 



In this result, D n (x,a) denotes the degree- n Dickson polynomial of the 
first kind with parameter a. This is a polynomial in ¥ q [x] which satisfies the 
functional equation 



These polynomials are closely related to the Chebyshev polynomials of the 
first kind. Here we note only that, in light of the above functional equation, 
D n (x,a) has degree n and satisfies D n (—x,a) = (—l) n D n (x,a). Thus, if 
n is odd then D n (x,a) is an odd polynomial, in the sense that all of its 
terms have odd degree. For more information about Dickson polynomials, 
see [HIS]. 

Remark. Proposition 12.41 follows easily from Weil's bound on the number of 
rational points on a curve over a finite field. See [221 Rem. 8.4.20] for the 
history of this result. Proposition 12.51 is a slight variant of a result from [14] ; 
see |19] for a proof in the stated form. The proof of this result only depends 
on Weil's bound, group-theoretic results due to Burnside and Schur, and a 
quick and easy genus computation. Weil's bound follows from the Riemann- 
Roch theorem, and the two group-theoretic results are proved in a few pages 
in [16]. So, although deep tools have been used in the study of exceptional 
polynomials, Propositions 12.41 and 12.51 do not depend on such tools. 

The next result is well-known, but we include a proof for the reader's 
convenience. 

Lemma 2.6. For G,H E Fq[x], if G o H is an odd polynomial and deg(G) 
is coprime to q then H{x) — H(0) is odd. 
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Proof. Suppose otherwise. Let ax a and bx 13 be the leading terms of G and 
H, respectively, and let cx 7 be the highest-degree term of H having even 
degree. Then a and j3 are odd, and 7 is both even and positive. Writing 
5 := (a — 1)(3 + 7, and noting that 5 is even, it follows that the coefficient 
of x s in G o H is aab a ~ 1 c. Since this is nonzero, G o H has a term of even 
degree, which contradicts our hypothesis. □ 

Remark. The above lemma has been rediscovered many times. It is not 
true without the hypothesis on deg(G); one counterexample from [2] is G = 
(x + l) s (x — l) q ~ s and H = x q + (x + l) q ~ s (x-l) s with q odd and < s < q. 

Lemma 2.7. Let fj,, v £ ¥ q [x] be linear, and let G G F<j[x] /iai>e degree larger 
than 1 and coprime to q. If both G and fj, o G a v are odd, then v(0) = 0. 

Proof. Write v(x) = cx + d, and let ax and bx^ be the leading terms of 
{i and G. Then the coefficient of x l3 ~ 1 in o G o v is abf3c@~ 1 d. But this 
coefficient is zero by hypothesis, so d = 0. □ 

Finally, we recall Lucas's theorem about binomial coefficients mod p (see 
e.g. PHIE!): 

Lemma 2.8. Let p be prime and let m and n be positive integers. Write 
m = mo + m\p + ni2P 2 + • • • + m s p s and n := no + n\p + n2p 2 + • • • + n s p s 
where < m,,, n^ < p — 1 for each i. Then 

("WM ("')...("«) (m o dj ,). 
Vm/ \m J \m\J \m s J 

3. Proof of Theorem 11.41 

We now prove Theorem 11.41 Suppose that ar is a planar function on 
F p r where p r > (t — l) 4 and t > 2 and p { t. Planarity implies that, 
for F(x) := (x + 1)* — a; , the function c i-> -F(c) is a bijection on F p r. 
By Proposition 12. 4( F is an exceptional polynomial over ¥ p , so there are 
infinitely many k for which F induces a bijection on ¥ p k ; equivalently, there 
are infinitely many k for which ar is a planar function on F p fc. If t = 1 
(mod p) then |15^ Cor. 1.7] implies that (1.1) holds. Henceforth assume 
that t ^ 1 (mod p). 

Since F(— 1 — x) = (— 1)*-F(x), bijectivity of -F on ¥ p r implies that p is 
odd. Thus also c i-> F(c) is a bijection on ¥ p r, where 

F(x) := 4 i F(|-i)=(x + 2)*-(x-2)*. 

As above, Proposition 12.41 implies that F is an exceptional polynomial over 
¥ p . Since p f i, we have deg(F) = t — 1, so deg(F) > 1. Hence F can be 
written as the composition of indecomposable polynomials over ¥ p . Write 
F = F\ 0F2 with Fi £ ¥ p [x] and F2 indecomposable. Since F is exceptional, 
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it follows that i*2 is exceptional. Since deg(F) = £ — 1 is coprime to p, by 
Proposition 12.51 there are linear fi, v £ F g [x] such that either 

(3.1) F2 = /J, o x m o v for some prime m which is coprime to p — 1 
or 

(3.2) F2 =/u o D n (x, a) o v for some a £ F* and some prime ra 

which is coprime to p 2 — 1. 



In particular, since p is odd, it follows that in (J3JJ) we have m > 3 and 
(m, 2p) = 1, and in (|3.2p we have n > 5 and (n, 6p) = 1. 

Next, note that F(-x) = (-l) t+1 F(x). Since F induces a bijection on 
F p r, and p > 2, we cannot have F(—x) = F(x), so i is even and F is an 
odd polynomial. Now Lemma I2U1 implies that ^(x) — ^(0) is odd. Since 
F2 = n o H o v where fj,,u £ F p [x] are linear and H is either x m or D n (x, a), 
and since further deg(-ff) is odd, we know that H is odd. By Lemma [2. 71 we 
must have u (x) = cqx with Co £ F*. Thus F = GoH{cqx) where G := F%o ^ 
is in F p [x]. If H = x m with m > 3 then F £ F p [x m ], which is false since the 
coefficient of x in F is t(2*~i - (-2)*- 1 ) which (since t is even) equals t2 , 
and in particular is nonzero. Thus we must have H{x) = D n (x,a) where 
n > 5 is odd and a € F*. Now put 

A(x) := F o — - + - 
Co Va x 

Then 

is an element of F p [x n ,x But also 



x a 



A(a;)= — + — +2 - — + — - 
Vcoa cox / Vcoa cox 

Now put B(x) := ^c A(ax) and c := 2c ; then B £ Fp[x n ,x" n ] and 
B(x) = i^(x + x _1 + cf - (x + x -1 - cf 

The coefficient of x*" 1 in B{x) is tc, which is nonzero, so n \ (t — 1). Since 
B is a Laurent polynomial all of whose terms have degree divisible by n, 
and n > 5 is odd, it follows that the coefficients of x* -3 , x* -5 , and x'^ 7 in 
B must be zero. We now compute these coefficients. 
The coefficient of x' -3 in B is 



which equals 



Ct(t - 1) ( 1 -r^C 2 + 1 
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Since this coefficient is zero, we must have 
(3-3) ^c 2 = -1. 

Here, if p = 3, we first interpret ^g 2 - as a rational number, and then view 
this rational number as an element of ¥ p ; in particular, if p = 3 then t = 2 
(mod 3) but t ^ 2 (mod 9). 

Suppose for the moment that neither of the following holds: 

(3.4) p > 3 and t = — (mod p), or 

(3.5) p = 3 and ( m °d 9). 

We will obtain a contradiction from the fact that the coefficients of x* -5 and 
x'~ 7 in B are zero. The coefficient of x* -5 in 5 is 

*(V) + GK« + G>* 

by using (|3.3[) . we can simplify this expression to 

c3 t(t-l) (t-|)(t-4) 
'4 15 

Since this equals zero, but neither (|3.4[) nor f)3.5j) holds, we must have either 

(3.6) p > 5 and t = 4 (mod p), or 

(3.7) p = 5 and i = 4 (mod 25). 

In particular, p > 3, so (since f|3.4[) does not hold) we have (mod p). 

Next, the coefficient of x l ~ 7 in B is 



again using (J373J), we can simplify this expression to 

-A('-l) ( ' + 1)( '^ )( '" 3)(t " 5) . 

V ; 3 3 • 5 • 7 

Since this equals zero, and t = 4 ^ \ (modp), we must have t = — 1 
(mod p), whence p = 5. But since p = 5, the vanishing of the coefficient of 
x*~ 7 implies that t = —I (mod 25), which contradicts (|3.T|) . This contra- 
diction shows that in fact either (|3.4p or (|3.5p must hold. 

Now assume that either (|3.4p or (|3.5p holds. In either case, (|3.3j) implies 
that c 2 = 4, so c = 2e with e € {1, —1}- Hence 

2B(x) = (x + x' 1 + 2e)* - (x + a;^ 1 - 2e)*. 
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Since B(x) G ¥ p [x n ,x~ n ], it follows that B(x 2 ) G ¥ p [x 2n , x~ 2n }. But we 
compute 

2B{x 2 ) = {x+-) 2t -{x--) 2t = 2 ( 2 % l x 2t - 2 \ 

X X 0<i<2t ^ % ' 

i odd 

Since n is odd and n\ (t — 1), we see that n \ (2t — 2i) if and only if n j (£ — 1). 
Thus, the condition £?(x 2 ) G F p [x 2n ,x~ 2n ] asserts that 

/2A 

if £ is odd and £ ^ 1 (mod n) then (.1=0 (mod p). 



Write 2i = ^j=o e i^ where ej is an integer satisfying < ej < p — 1. 
Since either (I3.4p or f|3 . 5[) holds, we have 2t = 1 (mod p), so eo = 1. First 
consider i = 1 + 2P- 2 for any 1 < j < s. Clearly i is odd, and since the only 
prime factors of % — 1 are 2 and p, neither of which divides n, we also have 
i ^ 1 (mod n). Thus we must have ( 2 *) = (mod p), so Lucas's theorem 
(Lemma I2.8P implies e,- < 2. Hence every e,- is either or 1. Next, for any 
< j < k, consider the three values i\ = p J , 12 = p k , and is = 1 +p ? +p fe . 
Each of these values is odd, but since ^3 = 1 + i\ + 12 we cannot have 
z'l = £2 = «3 = 1 (mod n). Thus there is some i G {p J ,p fe , 1 + p J + p fe } 
for which ( 2< ) = (mod p), so (again by Lucas's theorem) we must have 
either ej = or = 0. Since 2t > 1, the only remaining possibility is that 
2t = 1 + p s for some s > 0. Writing g := p s , we compute 

F o {x 2 + x~ 2 ) = (x 2 + x' 2 + 2)' - (x 2 + x~ 2 - 2) 2 

= (x + x- 1 ) 1 ^ - (x - x- l ) 1+q 

= 2(x q - 1 

But also D{x) := Dq-i(x, 1) satisfies 

2 

Do(x 2 + x~ 2 ) =x q ~ 1 +x 1 ~ q , 

so F(x) = 2D{x). Since F{x) is exceptional over F p , it follows that D(x) is 
exceptional over F p as well. By an easy classical result (see e.g. (3 Thm. 54]), 
D{x) is exceptional over ¥ p if and only if is coprime to p 2 — 1. Since 
both and p 2 — 1 are divisible by we must have p = 3. Finally, since 
t = is even, we see that s is odd. This concludes the proof. 

4. Proof of Corollary 11.51 

We now prove Corollary 11.51 The "if" direction is known and easy: for, 
if p is odd and i > j > then 

(x + lf +pJ - x pl+p3 - 1 = x p * + x p3 

induces a homomorphism from the additive group of ¥ p k to itself, and there- 
fore induces a bijection on ¥ p k if and only if it contains no nonzero roots in 
F p fc. But the nonzero elements of the kernel are the — l)-th roots of 
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— 1 in F p k. There are no such roots of — 1 if i = j, and if i ^ j then there 

are no such roots in ¥ p k when (i — j) \ k. Thus x pl+p3 is planar on ¥ p k for 

infinitely many k. Next, for t = 3 where p = 3 and i > j > and i ^ j 
(mod 2), the argument at the end of the previous section shows that 

{x + lf -x f = -D s (x-l,l) 

where s := — y~- Since s is coprime to 3 — 1 = 2, Dickson's result 
Thm. 54] implies that D s (x, 1) is exceptional over F3, so x l is planar on ¥ 3 k 
for infinitely many k. 

Conversely, fix a prime p and a positive integer s, and suppose that c 1— > c s 
is a planar function on ¥ k for infinitely many k. Writing s = fPt with p \ t, 
it follows that c 1— > c* is planar on F k for infinitely many k. In particular, 
c 1 — y is planar on F p r for some r such that p r > (t — l) 4 , so Theorem 11.41 
implies that either (1.1) or (1.2) holds. The result follows. 

5. The Segre-Bartocci conjecture 

We now show how a simple modification of our argument yields a new 
proof of the Segre-Bartocci conjecture about monomial hyperovals in finite 
Desarguesian projective planes. This conjecture was only proved for the first 
time quite recently, by Hernando and McGuire [llj . by means of a lengthy 
calculation involving singularities of a certain plane curve. Our proof is 
considerably shorter and simpler. 

A hyperoval in P 2 (¥ q ) is a set of q + 2 points such that no three are 
collinear. It turns out that such objects can only exist if q is even. It is easy 
to see that, for a suitable choice of coordinates on F 2 (¥ q ), any hyperoval can 
be written in the form 

{(1 : c : H(c)) : c G FJ U {(0 : : 1), (0 : 1 : 0)} 

for some H(x) € F g [ac]. Denote this set by D(H(x)). Segre and Bartocci 
conjectured in 1971 [21] that the values t = 6 and t = 2 l (with i > 0) 
are the only positive integers t for which there are infinitely many k such 
that D(x t ) is a hyperoval in P 2 (F 2 ft). By considering slopes of lines between 
two points, one can reformulate this conjecture as asserting that t = 6 and 
t = 2* are the only positive integers t for which the polynomial F(x) := 
x 1 ^ 1 + x*~ 2 + • • • + 1 is exceptional over F2 (see, for instance, [TTJ p. 505]). 
Assume F is exceptional. Then -F(O) 7^ F(l), so t is even. Assume t > 2, so 
that deg(F) = t - 1 > 1. Put F(x) := F(x + 1), so 

F{x) _ (g+iy+i. 

Then F is an odd polynomial, so the first part of the proof of Theorem 11.41 
shows that F = G o H where H is either x m (with m > 1 odd) or D n (x, 1) 
(with n > 1 coprime to 6). If i 7 = G{x m ) with m > 1 odd then Lucas's 
theorem implies that t is a power of 2: for, if 2- 51 and 2 k are distinct terms 
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in the binary expansion of t, then F has terms of degrees 2 J — 1 and 2 k — 1 
and 2 J ' + 2 k — 1, and the gcd of these three degrees is 1. Finally, suppose 
F = GoD n (x,l). Then we have F(x + x" 1 ) = G(x n + x~ n ) E F 2 [x n ,x" n ]. 
In order to compute the coefficients of the Laurent polynomial F(x + x -1 ), 
we write 

Since the coefficient of x* -1 in .Ftx+x" 1 ) is nonzero, we see that n \ (t—1), so 
that the coefficients of x* -3 and x t ~ 7 must be zero. But one easily checks that 
this only occurs when t = 6, which implies the Segre-Bartocci conjecture. 
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